top of page

2023 Data Breaches 

V2verify Is The Key To Preventing Data Breaches

V2verify is the answer for preventing data breaches like these, but until they are no longer an issue, we want to provide you with tools and information to minimize your risk and exposure.   

September 2023

Sept 25

Oak Valley Hospital
An unauthorized party accessed systems at Oakdale, Calif.-based Oak Valley Hospital District and was able to gain access to files that contained patient data. On July 18, the hospital noticed suspicious activity on its systems and launched an investigation into the incident.  The investigation revealed that an unauthorized party gained access to its systems between April 21 and July 18, gaining access to files that contained patient information, according to a Sept. 15 news release from Oak Valley.  The following patient information was in the files: names, health insurance information and information regarding their care. For some patients, Social Security numbers may have also been compromised. 

Sept 23

Air Canada 
Air Canada, the flag carrier and the largest airline of Canada, disclosed a cyber security incident this week in which hackers "briefly" obtained limited access to its internal systems.
According to the airline, the incident resulted in the theft of a limited amount of personal information of some of its employees and "certain records." Customer data was not affected.

Sept 22

Mountrail County Medical Center 
Patients of Mountrail County Medical Center have been notified of a data breach at a third-party company that provides certain services to the center.
The release indicates that DMS’ investigation revealed unauthorized access to certain information on the DMS network between March 27 and April 24, 2023.

Sept 21

Pizza Hut
Pizza Hut Australia is sending data breach notifications to customers, warning that a cyberattack allowed hackers to access their personal information.
The notification warns that the hacker gained unauthorized access to Pizza Hut Australia systems storing sensitive info for customers who made online orders, as well as partial financial data and encrypted account passwords.

Sept 19

Lakeland Community College
Lakeland Community College filed a notice of data breach with the Attorney General of Maine after discovering that an unauthorized party had gained access to its computer network for a period of roughly three weeks. In this notice, Lakeland explains that the incident resulted in an unauthorized party being able to access consumers’ sensitive information, which includes their names, Social Security numbers, dates of birth, driver’s license numbers, state identification numbers, financial account information, credit or debit card information, passport numbers, medical information, and health insurance information.

Sept 19

Clorox
The Clorox Company, makers of bleach and other household cleaning products, doesn't expect operations to return to normal until near month end as it combs over "widescale disruption to operations" caused by cyber baddies.
The $7+ billion turnover biz, whose sub-brands include Burt's Bees, Formula 409 and Kitchen Bouquet, confirmed last month that it had identified unauthorized activity in its network but didn't reveal whether the crooks had exfiltrated data, when it happened, or how long it took to spot them.
Certain unspecified systems were pulled offline "out of an abundance of caution," and some operations were "impaired" as a result.

Sept 18

TransUnion 
In a concerning turn of events, TransUnion, the international credit reporting agency, has again fallen victim to a data breach, exposing thousands’ personal information. The TransUnion breach, attributed to a group known as “USDoD,” highlights the pressing need for enhanced cybersecurity measures in today’s digital landscape.
Notably, “USDoD” has not limited its activities to TransUnion alone. They have also compromised NATO, raising grave concerns about the organization’s digital security.

Sept 18

Limestone Bank 
Limestone bank in the US has disclosed a data breach exposing some 50,000 customers’ personal details, including financial account and credit card numbers.
In a letter of notification sent to affected clients on September 15th, Limestone said it had “identified unusual activity involving an employee’s email account” that prompted it to launch an inquiry.
Another notification issued to the state of Maine, which imposes strict reporting requirements on organizations suffering cyberattacks that affect its residents, placed the total number of victims at 47,590. The vast majority of these resided in other parts of America.

Sept 18

Virginia Tech 
Virginia Tech had files containing personal data belonging to its current and former students and employees leaked online following a data breach, EdScoop reports. Threat actors were able to infiltrate a workstation in Virginia Tech's student affairs division, enabling access to student and dining service employee demographic data, according to Virginia Tech, which noted that the impact of the attack has been limited to the workstation but investigation is still ongoing.

Sept 18

Microsoft AI
Microsoft AI researchers accidentally exposed tens of terabytes of sensitive data, including private keys and passwords, while publishing a storage bucket of open source training data on GitHub.
This data included 38 terabytes of sensitive information, including the personal backups of two Microsoft employees’ personal computers. The data also contained other sensitive personal data, including passwords to Microsoft services, secret keys and more than 30,000 internal Microsoft Teams messages from hundreds of Microsoft employees.

Sept 14

Airbus 

A threat actor and alleged ransomware operator going by the alias USDoD has leaked data on over 3,000 suppliers of aviation giant Airbus after supposedly penetrating the organisation’s systems using a hacked customer account belonging to Turkish Airlines.

According to Hudson Rock, which was first to identify the emerging incident, USDoD had already gained a measure of notoriety when they took to the underground Breached forum at the end of 2022 to offer a data set allegedly purloined from the FBI’s InfraGard system.

Sept 11

MGM Resort 
MGM Resorts International said it’s investigating a cyberattack that forced the gaming company to shut down certain systems, in a Monday post on X, the social media site formerly known as Twitter.

Multiple reports indicate guests were unable to use digital room keys, payment systems were not working and hotel restaurants could only accept cash. MGM issued an update Monday night on X saying its dining, gaming and entertainment venues were fully operational and that guests were still able to access their hotel rooms. The front desk at MGM properties were ready to assist guests as needed.

The company said it has notified law enforcement and brought in outside cybersecurity experts to assist in the investigation. 

Sept 8

Dymocks
Dymocks has warned customers to “be vigilant” and monitor their accounts after the book store chain was hit by a security breach this week.
In an email to customers, Dymocks said they had “become aware that some of our customer information may have been compromised”.
Dymocks said it was made aware of the breach on September 6 and that an investigation was underway, though early findings painted a grim picture.

Sept 7

Janssen
Johnson & Johnson Health Care Systems ("Janssen") has informed its CarePath customers that their sensitive information has been compromised in a third-party data breach involving IBM.

Sept 6

Amerita
Amerita, a subsidiary of PharMerica, filed a notice of data breach with the Attorney General of Texas after discovering that an unauthorized party was able to access—and potentially acquire—sensitive data from the company’s IT network. In this notice, Amerita explains that the incident resulted in an unauthorized party being able to access consumers’ sensitive information, which includes their names, addresses and health information.

Sept 1

Bienville Orthopaedic Specialists LLC (“BOS”) Travel booking giant Sabre said it was Bienville Orthopaedic Specialists LLC (“BOS”) filed a notice of data breach with the Attorney General of Maine after discovering that an unauthorized party was able to access and acquire certain information from BOS’ IT network. In this notice, BOS explains that the incident resulted in an unauthorized party being able to access consumers’ sensitive information, which includes their names, Social Security numbers, medical information, health insurance information, usernames and passwords, financial account information, and driver’s license numbers.

Sept 5

Sabre
Travel booking giant Sabre said it was investigating claims of a cyberattack after a tranche of files purportedly stolen from the company appeared on an extortion group’s leak site.
The Dunghill Leak group claimed responsibility for the apparent cyberattack in a listing on its dark web leak site, alleging it took about 1.3 terabytes of data, including databases on ticket sales and passenger turnover, employees’ personal data and corporate financial information.
Some of the screenshots seen contained records pertaining to employees, including email addresses and their work locations. One screenshot contained employee names, nationalities, passport numbers and visa numbers. Several other screenshots show several U.S. I-9 forms of employees who are authorized to work in the United States. Several passports found in the cache corresponded with Sabre employees, including a Sabre vice president, according to their LinkedIn profiles.

Sept 5

NXP
Dutch chipmaker NXP Semiconductors has alerted customers to a data breach involving their personal information. Those affected appear to be individuals with an online NXP account, which provides access to technical content and community support.
In a statement to TechCrunch, NXP spokesperson Andrea Lempart declined to say how many customers had been impacted by the breach but confirmed that an “unauthorized party” had acquired “basic personal information” from a system connected to NXP’s online portal. This data includes customers’ full names, email addresses, postal addresses, business phone numbers, mobile phone numbers, company names, job titles and descriptions, and communication preferences.

Sept 4

Zaun
A British security contractor called Zaun has confirmed it was hit by LockBit ransomware and has suffered a data breach as a result – with the attack surface being “in an otherwise up-to-date network… a rogue Windows 7 PC” running software for a manufacturing machine.

Sept 4

Freecycle
Freecycle, an online forum dedicated to exchanging used items rather than trashing them, confirmed a massive data breach that affected more than 7 million users.
The nonprofit organization says it discovered the breach on Wednesday, weeks after a threat actor put the stolen data for sale on a hacking forum on May 30, warning affected people to switch passwords immediately.
The stolen information includes usernames, User IDs, email addresses, and MD5-hashed passwords, with no other information exposed, according to Freecycle., an online forum dedicated to exchanging used items rather than trashing them, confirmed a massive data breach that affected more than 7 million users.
The nonprofit organization says it discovered the breach on Wednesday, weeks after a threat actor put the stolen data for sale on a hacking forum on May 30, warning affected people to switch passwords immediately.
The stolen information includes usernames, User IDs, email addresses, and MD5-hashed passwords, with no other information exposed, according to Freecycle.at risk.

Sept 2

AARP
Last month Medicare announced that one of their contractors had been hacked and the personal information of 612,000 Medicare beneficiaries were stolen. The security breach put Social Security numbers, birth dates, driver’s license numbers, health insurance claims, medical history notes, prescription information and other personally identifiable information at risk.

Sept 1

Cognizant / TMG
Cognizant / TMG filed a notice of data breach with the Attorney General of Texas after discovering that an unauthorized party accessed confidential consumer data stored on the company’s computer network. In this notice, Cognizant / TMG explains that the incident resulted in an unauthorized party being able to access consumers’ sensitive information, which includes their names, addresses, email addresses, phone numbers, dates of birth, Social Security Numbers, claim numbers, bank account numbers and medical service information.

Sept 1

UnitedHealthcare
UnitedHealthcare said Friday that a data breach may affect some North Carolina residents.
The "data security incident" involves patients' personal health information.
UHC said the personal information breached varied but may have included a combination of names, member ID numbers, plan types, and county and state of residency.

Sept 1

Callaway
Topgolf Callaway (Callaway) suffered a data breach at the start of August, which exposed the sensitive personal and account data of more than a million customers.
The company is present in more than 70 countries worldwide and has an annual revenue of over $1.2 billion. It employs roughly 25,000 people.
 

Sept 1

The University of Sydney 

The University of Sydney has some exposure to a third-party data breach, affecting the personal data of a “small proportion” of international students and applicants.

Image credit: The University of Sydney/Facebook.

A notification, published on Thursday afternoon, does not name the third-party but says that it held personal data of some "recently applied and enrolled international applicants”.

Though that data was “accessed”, the university said that “there is currently no evidence that any personal information has been misused.”

August 2023

Aug 30

M&T Bank

Some M&T Bank customers' information may have been stolen in what was a massive cyber-attack, impacting many other companies too.
In a statement, the bank says it wasn’t their internal system that was involved, but rather a third-party company that it uses for file transfer software.
“M&T was informed about a recent global cybersecurity incident involving MOVEit, a file transfer software owned by Progress Software and used by government agencies, major financial firms, and thousands of other organizations, which resulted in the potential exposure of customer information for any organizations using the software,” an M&T spokesperson said in a statement.

Aug 30

Forever 21

F21 OpCo LLC d/b/a Forever 21 (“Forever 21”) filed a notice of data breach with the Attorney General of Maine after discovering an external system breach compromised the information of over 539,000 individuals. In this notice, Forever 21 explains that the incident resulted in an unauthorized party being able to access consumers’ sensitive information, which includes their names and Social Security numbers. 

Aug 30

Paramount 

American entertainment giant Paramount Global disclosed a data breach after its systems got hacked and attackers gained access to personally identifiable information (PII).
Paramount said in breach notification letters signed by Nickelodeon Animation Studio EVP Brian Keane sent to affected individuals that the attackers had access to its systems between May and June 2023.

Aug 29

Blue Cross Blue Shield of Arizona (“AZ Blue”) 

Blue Cross Blue Shield of Arizona (“AZ Blue”) filed a notice with the U.S. Department of Health and Human Services Office for Civil Rights after discovering that TMG Health, one of the vendors used by AZ Blue, experienced a data breach affecting AZ Blue customer data. In this notice, AZ Blue explains that the incident resulted in an unauthorized party being able to access consumers’ sensitive information, which includes their names, member IDs, addresses, email addresses, phone numbers, dates of birth, Social Security Numbers, and banking information. 

Aug 29

Chevron Federal Credit Union (“CFCU”) 

Chevron Federal Credit Union (“CFCU”) filed a notice of data breach with the Attorney General of Maine after discovering that MOVEit, a file-sharing application used by CFCU, contained a critical vulnerability. In this notice, CFCU explains that the incident resulted in an unauthorized party being able to access consumers’ sensitive information, which includes their names and financial account information. 

Aug 28

CLEAResult 

CLEAResult filed a notice of data breach with the Attorney General of Massachusetts after discovering that confidential consumer data that had been entrusted to the company was subject to unauthorized access. In this notice, CLEAResult explains that the incident resulted in an unauthorized party being able to access consumers’ sensitive information, which includes their names, Social Security numbers and financial account numbers. 

Aug 28

PurFoPurFoods

PurFoPurFoods, a U.S. producer of medically-tailored home-delivered meals, has disclosed a data breach affecting over 1.2 million people.

According to a report filed to regulators last week, hackers might have accessed customers' personal, financial and medical information, including names, financial account and payment card numbers, Social Security numbers, health insurance member identification numbers, as well as account security codes and passwords.

Aug 28

Pole Emploi

The personal information of roughly 10 million individuals was likely compromised in a data breach at French governmental unemployment agency Pole Emploi.
The agency, which registers unemployed individuals, provides them with financial aid, and helps them find new jobs, says it became aware of the incident just over a week ago.
The data breach, the agency says, was the result of a cyberattack on one of its service providers, and that no Pole Emploi system was affected.
According to Pole Emploi, the data compromised during the attack belongs to individuals who registered with the agency until February 2022, and includes names and social security numbers.

Aug 27

MET Police

Met Police security breach: The key questions as force on 'high alert' after officers' details hacked
It may be difficult to prevent future leaks of police data, a former officer has said.
Graham Wettone, a frequent policing commentator on Sky News, also said he had concerns about the outsourcing of information.

Aug 26

Kroll

Kroll on Friday disclosed that one of its employees fell victim to a "highly sophisticated" SIM swapping attack.
The incident, which took place on August 19, 2023, targeted the employee's T-Mobile account, the company said.

Aug 25

Unum 

Top Class Actions’s website and social media posts use affiliate links. If you make a purchase using such links, we may receive a commission, but it will not result in any additional charges to you. Insurance company Unum Group failed to protect its computer systems from a data breach, leading to hackers obtaining the medical information and private identification information of over half a million people, a new class action lawsuit alleges. 

Aug 25

TUSD

Cybersecurity investigators contracted by Tucson Unified School District concluded approximately 29,000 people may have had personal information compromised during a network breach in January.

Aug 23

AmeriBen

The Australian Conservation Foundation says 13,500 of its donors' details have been leaked on the dark web in the IEC Group, which does business under the name AmeriBen, filed a notice of data breach with the Attorney General of Texas after discovering that confidential consumer information that had been entrusted to the company was subject to unauthorized access. In this notice, AmeriBen explains that the incident resulted in an unauthorized party being able to access consumers’ sensitive information, which includes their names, health insurance information and medical information. 

Aug 23

Australian Conservation Foundation

The Australian Conservation Foundation says 13,500 of its donors' details have been leaked on the dark web in the Pareto Phone data breach.

Key points:

  • Australian Conservation Foundation said Pareto Phone told them it suspected its system had been compromised in April

  • The charity has suspended its relationship with the telemarketer

  • Thousands of donors to Australian charities have had their data stolen

The Heart Foundation, Canteen, Cancer Council, Médecins Sans Frontières and the Fred Hollows Foundation were also caught up in the breach

Aug 23 

Discord 
Starting on Monday, Discord has been reaching out to users affected by a data breach disclosed earlier this year to let them know what Personal Identifying Information (PII) was exposed in the incident.
The breach stemmed from a security breach at a third-party service provider detected on March 29, involving the compromise of an account belonging to a customer support agent.

Aug 22

University of Minnesota
University of Minnesota officials said Tuesday that they’re investigating the possible theft of personal data from university computer systems.  The U launched the investigation in late July after the tech journal The Cyber Express reported claims that a hacker had potentially gained access to more than 7 million Social Security numbers.

Aug 22

Morris Hospital
Morris Hospital and Healthcare Centers in Morris, Illinois, is in the process of mailing notices to current and former patients and employees to inform them that a recent cybersecurity incident may have involved their personal information.
On April 4, Morris Hospital discovered it had experienced a cybersecurity incident, upon which time it "immediately" took steps to contain the incident, according to the hospital. It then retained global cybersecurity professionals to conduct an extensive investigation and assist with recovery efforts.

Aug 22 

DuoLingo
The scraped data of 2.6 million DuoLingo users was leaked on a hacking forum, allowing threat actors to conduct targeted phishing attacks using the exposed information.
Duolingo is one of the largest language learning sites in the world, with over 74 million monthly users worldwide.rther use, access, or dissemination of the data, subject to criminal penalties.”

Aug 19 

TESLA 
Tesla has begun notifying current and former employees whose information was included in a confidential data breach in May.
In a notice posted on the Maine Attorney General’s website on Friday, Tesla said an investigation had found “two former Tesla employees misappropriated the information in violation of Tesla’s IT security and data protection policies” and that the electric automaker had since filed lawsuits against them.
“These lawsuits resulted in the seizure of the former employees’ electronic devices that were believed to have contained the Tesla information,” Tesla said. The company added that it “also obtained court orders that prohibit the former employees from further use, access, or dissemination of the data, subject to criminal penalties.”

Aug 18

Maximus Human Services Inc.

Maximus Human Services Inc., a service provider for Colorado's Department of Human Services (CDHS), notified people of a data breach that risks the privacy of many people's personal information Friday.

According to their release, Maximus supports some government programs of CDHS' Division of Child Support Services, including the State Directory of New Hires— this directory is the place where employers report all new employees, providing information such as their full name, Social Security number and address.

Aug 18 

Morris Hospital & Healthcare Centers 
Morris (Ill.) Hospital & Healthcare Centers disclosed a data breach that affected 248,943 patients. The hospital discovered the cybersecurity incident on April 4, according to an Aug. 17 Morris Hospital news release. Information affected in the data breach included: Names, Addresses, Dates of birth, Social Security numbers, Medical record and account numbers, & Diagnostic codes.
According to DataBreaches.net, the Royal Ransomware group claimed responsibility for the breach and added the hospital to its leak site.

Aug 18

College of The Albemarle 
College of The Albemarle officials will work to notify nearly 2,000 current and former students affected by a widespread data breach at the nonprofit that stores student records for many institutions of higher learning across the country.
COA has learned 1,933 current and/or former students have been affected by a breach of what is called “directory information,” which is basically the student’s name and the fact of their enrollment at the institution.

Aug 17 

Missouri Department of Social Services
Medicaid recipients in Missouri were notified this week that hackers may have obtained their personal information.
A letter dated August 9, 2023, said, “The Missouri Department of Social Services (DSS) is writing to notify you that your personal information may have been accessed due to an online security incident.
The State of Illinois said 390,000 residents were impacted by the security breach and that the state was providing credit monitoring to them.

Aug 16 

UMass Chan Medical School
Massachusetts health officials are warning residents of a “global security incident” affecting the personal information of more than 134,000 people, state officials said Tuesday.
UMass Chan Medical School on Monday began “notifying more than 134,000 individuals currently or previously enrolled in certain state programs that their personal information was involved in a recent third-party data security incident,” Executive Office of Health and Human Services officials said in a statement.

Aug 15

Clorox
The Clorox Company has some cleaning up to do as some of its IT systems remain offline and operations "temporarily impaired" following a security breach.
In a filing Monday to the SEC, America's financial watchdog, the cleaning giant disclosed "unauthorized activity" in its networks.

Aug 14

Discord.io

The Discord.io custom invite service has temporarily shut down after suffering a data breach exposing the information of 760,000 members.
Discord.io is not an official Discord site but a third-party service allowing server owners to create custom invites to their channels. Most of the community was built around the service's Discord server, with over 14,000 members.

Yesterday, a person known as 'Akhirah' began offering the Discord.io database for sale on the new Breached hacking forums. As proof of the theft, the threat actor shared four user records from the database.

Aug 14

Alberta Dental Service Corporation

Canda-based dental benefits administrator Alberta Dental Service Corportation (ADSC) recently suffered a malware-based cyber attack which exposed the data of more than 1.5 million customers.

The cyber security incident was discovered on July 9 after a malicious actor gained access to ADSC’s systems. The hacker then deployed malware, encrypting some of the company’s data and systems, meaning they were temporarily inaccessible.

Aug 14 

HUB International

Insurance brokerage firm HUB has reported a cyber breach mainly related to its US operations, with former and current staff as well as clients potentially affected.

In a statement shared with Insurance Business, HUB International, the parent company of HUB, provided updated information about the cyber event.

Aug 07 

Johns Hopkins Health System
The U.S. Office for Civil Rights is investigating a May 31 data breach that affected Baltimore-based Johns Hopkins Health System. 
The investigation will look into the details of the breach that affected 2,584 people at Johns Hopkins Health System and 2,975 people at Columbia, Md.-based Johns Hopkins Howard County General Hospital, according to the publication. 

Aug 14

HCA Healthcare
The U.S. Office for Civil Rights is investigating a May 31 data breach that affected Nashville-based HCA Healthcare has sent letters to certain patients affected by a data security incident that took place on or around July 5, and continues to mail out notification letters on a "rolling basis," according to states of residence.
A filing with the U.S. Department of Health and Human Services claims HCA discovered that a list of certain information pertaining to its patients was made available on an online platform by an unauthorized party.
The information was obtained by the unauthorized party in late June in what appears to be a theft from an external storage location exclusively used to automate the formatting of email messages, such as reminders that patients may wish to schedule an appointment and education on healthcare programs and services.

Aug 14

Vermont Department of Financial Regulation
A large-scale security breach may have compromised the personal data of thousands of Vermonters.
The Vermont Department of Financial Regulation issued a notice on Friday afternoon, saying that personally identifiable information for roughly 42,000 Vermonters was part of the security breach.
More than 38 million consumers nationwide are estimated to have been affected as well.
The data breach occurred after a ransomware group infiltrated the MOVEit file transfer software utilized by public and private organizations both locally and across the country.

Aug 11

Fidelity National Information Services, Inc. (“FIS Global”) 
The U.S. Office for Civil Rights is investigating a May 31 data breach that affected Fidelity National Information Services, Inc. (“FIS Global”) filed a notice of data breach with the Attorney General of Maine after discovering that a vulnerability in the MOVEit file transfer program used by FIS Global compromised consumer information. Based on the available information, an unauthorized party was able to access consumers’ sensitive information, which includes their names and Social Security numbers. 

Aug 11 

Colorado Department of Health Care Policy and Financing

The Colorado Department of Health Care Policy and Financing was notified recently of a data breach impacting an unspecified number of people's personal information and protected health information. According to HCPF, their systems were not breached, rather the problem impacted vendor software used by many organizations.

Progress Software, the maker of the MOVEit transfer application, announced publicly they discovered evidence of a cybersecurity incident incident in late May. That company notified its partners of the problem, including IBM, who is a vendor of HCPF. MOVEit is used to encrypt files during transfers across computer networks.

Aug 11 

Family and Social Services Administration
The personal information of more than 700,000 Medicaid beneficiaries in Indiana has been exposed in a data breach in late May.
The Family and Social Services Administration announced on Friday afternoon that a third party contractor had experienced a data breach.
“The names, addresses, case numbers and Medicaid numbers of more than 744,000 members of Indiana Medicaid were exposed in the breach,” according to the FSSA's press release. “Social Security numbers of four additional Medicaid members were impacted.”
The breach occurred in a software called MOVEit used by Maximus Health Services, a third party contractor.

Aug 11

Cumbria Police 
Another British police force has experienced a huge breach of the data of all its officers and staff, the Guardian has learned.
Cumbria police has admitted accidentally publishing the names and salaries of every one of its more than 2,000 employees and has apologised.
One officer told the Guardian of dismay in the force at the leak.
The data breach happened in March and has not previously been publicised.

Aug 08

Colorado Department of Higher Education (CDHE)
The Colorado Department of Higher Education (CDHE) announced a major data breach that occurred between June 11 and June 19, potentially affecting a significant number of students and educators dating back to 2004. The breach was discovered on June 19 when CDHE became aware of a cybersecurity ransomware incident that had impacted their network systems.
During the ongoing investigation, CDHE determined that unauthorized individuals had gained access to their systems during the specified period. As a result of this breach, sensitive information such as names, Social Security numbers, student identification numbers, and other education records may have been accessed.

Aug 08

UK Electoral Commission
The UK Electoral Commission disclosed a massive data breach exposing the personal information of anyone who registered to vote in the United Kingdom between 2014 and 2022.
The disclosure comes ten months after the Commission first detected the breach and two years after the initial breach occurred, raising questions about why it took so long to report the incident to the public.
In the "public notification of cyber-attack," the Commission says they first detected the attack in October 2022 but since learned that threat actors breached their systems much earlier, in August 2021.

Aug 08 

Gunster, Yoakley & Stewart
A prominent Miami-based law firm, with offices in 13 cities throughout Florida announced it was the subject of a “data security incident that involved personal information of some individuals, which Gunster obtained in connection with providing legal services.”
The Brickell headquartered Gunster, Yoakley & Stewart, PA also posted the breach’s notice on the firm’s website.
According to the notice and website post, the firm “immediately took measures to contain the incident and securely restore its network. A thorough investigation was conducted,” leading to the realization there had been “unauthorized access to its document management file system over the weeks leading up to its discovery of the incident.”

Aug 08

Police Service of Northern Ireland (PSNI)
The Police Service of Northern Ireland (PSNI) has apologised for mistakenly revealing details of all its 10,000 staff.
NI's Police Federation said the breach could cause "incalculable damage".
In response to a Freedom of Information (FoI) request, the PSNI had shared names of all police and civilian personnel, where they were based and their roles.
The details were then published online, before being removed.

Aug 07 

Johns Hopkins Health System
The U.S. Office for Civil Rights is investigating a May 31 data breach that affected Baltimore-based Johns Hopkins Health System. 
The investigation will look into the details of the breach that affected 2,584 people at Johns Hopkins Health System and 2,975 people at Columbia, Md.-based Johns Hopkins Howard County General Hospital, according to the publication. 

Aug 04

Colorado Department of Higher Education (CDHE)
Decades of records belonging to Colorado students could be at risk following a massive data breach at the state's Department of Higher Education.
Officials are continuing to investigate a cybersecurity ransomware incident that occurred between June 11 and June 19, exposing students’ names, social security numbers, student identification numbers and other education records, CDHE announced in a news release Friday.
The department has already begun notifying potentially impacted individuals by mail or email “to the extent CDHE has contact information." 

 

Aug 02

Progressive Casualty Insurance Company (“Progressive”)
Progressive filed a notice of data breach with the Attorney General of Maine after discovering that employees of a third-party vendor improperly shared their Progressive access credentials with unauthorized individuals. In this notice, Progressive explains that the incident resulted in an unauthorized party being able to access consumers’ information, which includes their names, addresses, driver’s license numbers, email addresses, phone numbers, dates of birth and other confidential information.

 

Aug 02

MHMR Authority of Brazos Valley (“MHMR”)
MHMR filed a notice of data breach with the Attorney General of Maine after discovering that an unauthorized party was able to access certain files on the company’s computer network. In this notice, MHMR explains that the incident resulted in an unauthorized party being able to access consumers’ sensitive information, which includes their name, Social Security number, driver’s license number, medical record number, Medicaid or Medicare number, medical treatment, diagnosis information, and health insurance information.

Aug 02

Synergy Healthcare Services
Synergy Healthcare Services filed a notice of data breach with the Attorney General of Maine after discovering that an unauthorized actor had gained access to portions of the company’s computer network. In this notice, Synergy Healthcare explains that the incident resulted in an unauthorized party being able to access consumers’ sensitive information, which includes their names, Social Security numbers, birth dates, signatures, insurance details, contact information, driver’s license numbers, medical history and treatment information, and financial information.H

Aug 02

Chattanooga Heart Institute
The law firm of Federman & Sherwood has initiated an investigation into Chattanooga Heart Institute with respect to their recent data breach. On July 28, 2023, Chattanooga Heart Institute notified individuals that the company experienced a data breach after an unauthorized party accessed sensitive consumer data entrusted to the company. According to Chattanooga Heart Institute, they determined that information stored on their servers may have been subject to unauthorized access on March 8, 2023. Chattanooga Heart Institute determined that the information exposed in the data breach may include: name, mailing address, Social Security number, driver’s license number, date of birth, email address, phone number, account information, health insurance information, diagnosis/condition information, lab results, medications and other clinical, demographic or financial information.

Aug 02

Arizona Department of Education
A data breach that allowed a parent to see information about other parents getting vouchers can be traced to a now-resigned employee of the Arizona Department of Education, a new report says.
The state Homeland Security Department says there was an "email chain'' between an unnamed employee at the agency and the parent in late June about an order the parent had placed for items or services for a child through ClassWallet, the private firm hired by the state handling such requests.

Aug 02

Allegheny County
Allegheny County has released limited details on a data breach. 
According to the county, they were affected by a global cybersecurity incident impacting the popular file transfer tool, MOVEit. 
The hackers claim they're only interested in business data and deleted files from the county. 
However, the county said they could have personal information from Social Security numbers to health information. 

Aug 01 

Health Employers Association of BC (HEABC)
HEABC said that thousands of health-care workers’ personal information has been compromised in a data breach that’s targeted three websites on thier servers.
Hackers had access to the HEAug 1ABC system from May 9 to June 10 and the breach wasn’t detected until July 13, according to the association, after staff “identified a potential anomaly” but did not provide further explanation.
Health minister Adrian Dix described the information as stolen, but claimed ministry services are not impacted, and that “No patient information, and no information in government systems have been compromised.”

July 2023

July 23

Roblox Data

If you attended the Roblox Developer Conference between 2017 and 2020, your personal information might have been exposed in a recent data breach.

PC Gamer(Opens in a new window) reports that popular gaming platform revealed this week that close to 4,000 names, email addresses, phone numbers, dates of birth, IP addresses, and physical addresses were exposed due to a “third-party security issue.” Hackers also obtained attendees' T-shirt sizes.

July 17

Henry Ford Health 

phishing scheme led to a data breach affecting 168,000 patients.

Patients were told Monday that someone conducting an email phishing scheme gained access to business email accounts on March 30, 2023. That access was quickly discovered, and the email accounts were secured, according to officials.

July 12

Indonesian

Over 34 million Indonesian passports were leaked in a massive data breach impacting the country’s Immigration Directorate General at the Ministry of Law and Human Rights.

Cybersecurity researcher and founder of Ethical Hacker Indonesia, Teguh Aprianto, disclosed the breach on his Twitter account @secgron, attributing the attack to a hacktivist identified as Bjorka.

July 6

Pepsi

In conjunction with a public announcement regarding the incident, Pepsi Bottling Ventures recently informed the Maine Attorney General’s Office that the attackers had access to the personal information of more than 28,000 individuals.

According to the company, the compromised data includes names, addresses, email addresses, financial account information, ID numbers, driver’s license numbers, Social Security numbers, digital signatures, medical history details, and health insurance information.

July 3

Barts Health NHS Trust
A notorious hacking gang known as ALPHV, or BlackCat, has announced that it successfully infiltrated one of the UK’s largest hospital groups, threatening to expose a vast collection of confidential data. The gang’s statement revealed that it had gained unauthorised access to seven terabytes of internal documents belonging to the Barts Health NHS Trust, responsible for managing five hospitals in London, serving approximately 2.5 million individuals.
According to a Bloomberg report, ALPHV has gained notoriety for deploying ransomware, a malicious software that encrypts victims’ computers, rendering them unusable until a ransom is paid. However, the recent trend among hacking groups involves stealing data without deploying ransomware, but subsequently demanding payment to prevent the publication of the stolen information.
Currently, it remains unclear whether the gang resorted to their ransomware tactics on the computers within the London hospitals, namely St. Bartholomew’s, the Royal London, Mile End, Whipps Cross, and Newham.

July 1 

LetMeSpy
Android-based phone monitoring app LetMeSpy has disclosed a security breach that allowed an unauthorized third-party to steal sensitive data associated with thousands of Android users.

"As a result of the attack, the criminals gained access to email addresses, telephone numbers and the content of messages collected on accounts," LetMeSpy said in an announcement on its website, noting the incident took place on June 21, 2023.

Following the discovery of the hack, LetMeSpy said it notified law enforcement and data protection authorities. It's also taking steps to suspend all account-related functions until further notice. The identity of the threat actor and their motives are currently unknown.

June 21

Mondelez
Mondelez, the U.S. manufacturer of Oreo cookies and Milka chocolate, has warned employees that their personal data has been compromised through a breach at the law firm Bryan Cave, which provides legal services to Mondelez and other Fortune 500 companies.
Mondelez stated in its data breach notice that more than 50,000 of its current and former employees were affected by the incident.
The leaked information may include employees' Social Security numbers, first and last names, addresses, dates of birth, marital statuses, genders, employee identification numbers and retirement plan information. Financial information, including credit card numbers, was not affected, the company said.

June 21

UPS
Multinational shipping company UPS is alerting Canadian customers that some of their personal information might have been exposed via its online package look-up tools and abused in phishing attacks.
At first glance, the letters sent by UPS Canada, titled "Fighting phishing and smishing - an update from UPS," seem to be a warning to customers about the dangers of phishing.
However, it turns out that this is actually a data breach notification, with the company sneaking in a disclosure stating that it has been receiving reports of SMS phishing messages containing the recipients' names and address info.

June 19

FirstBank Puerto Rico
Mortgage Industry Advisory Corporation (“MIAC”) filed a notice of data breach on behalf of FirstBank Puerto Rico after MIAC determined that a cyberattack targeting the company’s IT network resulted in FirstBank customer data being leaked. While neither MIAC nor FirstBank has confirmed the leaked data types, MIAC began sending out data breach notification letters to all individuals who were impacted by the recent data security incident. 

June 19

Reddit
The Russia-linked ALPHV/BlackCat ransomware gang posted Reddit on its dark web blog, which is used to showcase its latest victims. The cybercriminals claim to have stolen 80 GB of data during a breach earlier this year.
In early February, the company said that its systems “were hacked as a result of a sophisticated and highly-targeted phishing attack,” with attackers taking some internal documents, code, and some internal business systems.
ALPHV/BlackCat claims its operators broke into Reddit’s systems on February 5th and informed the company about the stolen data on two occasions. However, according to the gang, Reddit did not try to find out what type of data was taken.

June 16

The Hatcher Agency 
The Hatcher Agency filed a notice of data breach with the Attorney General of Maine after learning that a recent data security incident resulted in confidential consumer information being accessible to an unauthorized party. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, Social Security numbers, driver’s license numbers, contact information, dates of birth, health insurance information and medical information.

June 16

Parker Wellbore
Parker Wellbore filed a notice of data breach with the Attorney General of Texas after learning that hackers gained access to confidential information that had been entrusted to the company. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, Social Security numbers, driver's license numbers, government-issued identification numbers, financial account information, credit or debit card numbers, and medical information. 

June 16

MOVEit
A vulnerability in data transfer service MOVEit, widely used across government agencies, allowed the group to infiltrate agencies, including the Department of Energy and university systems in multiple states. Some officials spoke promptly to ensure that attacks were detected and mitigated, but others were less quick to declare a positive outcome. One of the greatest challenges of responding to a breach is understanding what an attacker has accomplished already if they are still active, and where they are moving next.
Meanwhile, a message from Clop on Wednesday claimed that the exfiltrated data from victims of this breach had been deleted. The phenomenon of threat actors working within certain limits is not new, but these claims should never be taken at face value. Although the impact of global ransomware campaigns – especially those from Russian-affiliated groups – has ebbed and flowed over the years, there has recently been an increase in significance.

June 14

Leidos
Leidos filed a notice of data breach with the Attorney General of Montana after learning that confidential consumer data in the company’s possession was subject to unauthorized access. Evidently, the breach involved a vulnerability in software created by Diligent Corporation. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ sensitive information, although the exact data types were not provided. 

June 14

MMC
Maimonides Medical Center (“MMC”) posted a notice on its website informing patients of a recent data breach after learning that hackers were able to illegally obtain access to confidential patient information. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, addresses, Social Security numbers and protected health information.

June 14

Onix Group
Onix Group, a Kennett Square, Pennsylvania-based company that operates commercial real estate and provides management and consulting services, suffered a ransomware attack that resulted in a healthcare data breach.
The breach impacted 319,500 individuals in total. Onix group notified the impacted individuals on behalf of its affiliates, Addiction Recovery Systems, Cadia Healthcare, Physician's Mobile X-Ray, and Onix Hospitality Group.

June 12

Zacks Investment Research 
Zacks Investment Research (Zacks) has reportedly suffered an older, previously undisclosed data breach impacting 8.8 million customers, with the database now shared on a hacking forum.
The firm previously disclosed a data breach that occurred between November 2021 and August 2022, warning that unauthorized network intruders accessed the personal and sensitive information of about 820,000 customers.

June 10

Turkey

Sensitive personal data of Turkish citizens and residents of Turkey has been compromised, according to the Free Web Turkey, a platform dedicated to combating internet censorship in the country.

On Friday, the platform exposed the existence of a website called Sorgu Paneli, which allows unrestricted access to personal data such as identification numbers, names, addresses, telephone numbers and even bank account details in exchange for a free membership. Paid members can obtain even more private information, including title deeds.

June 8

Marshall Melhorn
Marshall & Melhorn, LLC (“Marshall Melhorn”) filed a notice of data breach with the Maine Attorney General after determining that an unauthorized party was able to access confidential information stored on the firm’s IT network. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, addresses, Social Security numbers, financial account information, driver’s licenses and state identification information, passport information, medical information, and health insurance information. After confirming that consumer data was leaked, Marshall Melhorn began sending out data breach notification letters to all individuals who were impacted by the recent data security incident. 

June 8

ITx
IntelliHartx, LLC (“ITx”) filed a notice of data breach with the Attorney General of Maine after learning that its secure file transfer protocol provider, Fortra, experienced a data privacy event leaking information provided to ITx. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, Social Security numbers, addresses, dates of birth and protected health information. After confirming that consumer data was leaked, ITx began sending out data breach notification letters to all individuals who were impacted by the recent data security incident. 

June 7

CareNet Medical Group
CareNet Medical Group, PC (“CMG”) filed a notice of data breach with the Attorney General of Vermont after learning that hackers were able to obtain confidential patient information stored on the company’s IT network. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ full names, Social Security numbers, addresses, driver’s license numbers, bank account numbers, bank account routing numbers, dates of birth, medical reference numbers, Medicare numbers, cell phone numbers, home phone numbers, health insurance information, and email addresses. After confirming that consumer data was leaked, CareNet began sending out data breach notification letters to all individuals who were impacted by the recent data security incident. 

June 7

Enzo Biochem
New York-based Enzo Biochem confirmed in a recent Securities and Exchange Commission (SEC) filing that an April 2023 ransomware attack resulted in the potential exposure of information pertaining to nearly 2.5 million individuals.
The molecular diagnostics company experienced a ransomware attack on April 6 that impacted certain information technology systems. Following the discovery, Enzo said it immediately disconnected its systems from the internet, notified law enforcement, and engaged a cybersecurity firm. The company continued to remain open and provide services to patients throughout the response.
Enzo is still investigating the scope of the incident, but has determined unauthorized access or acquisition of clinical test information belonging to 2,470,000 individuals. Of those individuals, 600,000 also had their Social Security numbers involved.

June 6

Pearland Independent School District
Pearland Independent School District (“Pearland ISD”) filed a notice of data breach with the Maine Attorney General after learning that confidential information stored on the district’s computer system was accessed by an unauthorized party. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, dates of birth, addresses, and Social Security numbers. After confirming that consumer data was leaked, Pearland ISD began sending out data breach notification letters to all individuals who were impacted by the recent data security incident. 

June 6

MasterCorp
MasterCorp, Inc. filed a notice of data breach with the Attorney General of Vermont after learning that an unauthorized party had gained access to files containing confidential consumer information stored on the company’s computer network. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names and Social Security numbers. After confirming that consumer data was leaked, MasterCorp began sending out data breach notification letters to all individuals who were impacted by the recent data security incident. 

June 6

HomecareGPS
Elgon Information Systems (“Elgon”), which does business under the name HomecareGPS, filed a notice of data breach with the U.S. Department of Health and Human Services Office for Civil Rights (“HHS-OCR”) after learning that confidential consumer information entrusted to the company was subject to unauthorized access. Based on the company’s official filing with the HHS-OCR, the incident likely resulted in an unauthorized party gaining access to consumers’ protected health information. After confirming that consumer data was leaked, Elgon began sending out data breach notification letters to all individuals who were impacted by the recent data security incident. 

June 6

Ascension 
Ascension posted a notice describing a “security incident” on its website after learning that a cyberattack at one of the company’s vendors resulted in leaked patient data. Based on the company’s post, the incident resulted in an unauthorized party gaining access to consumers’ names, Social Security numbers, addresses, email addresses, phone numbers, and insurance information. After confirming that consumer data was leaked, Ascension began sending out data breach notification letters to all individuals who were impacted by the recent data security incident. 

June 5

SuperVPN
Cybersecurity researcher Jeremiah Fowler discovered and reported that over 360 million user data records have been leaked in a breach with the free VPN service SuperVPN. These records contained tons of personal information, including email addresses, original IP addresses, geolocation records, unique user identifiers, references to visited websites and more. 

June 5

Zellis / MOVEit

A Russian hacker group has issued an ultimatum to firms including British Airways, Boots and the BBC after stealing hordes of staff data from a payroll provider.

Clop, a Russian-speaking cybercrime gang, urged companies to get in touch by 14 June and settle a “price to delete” to avoid their data being exposed.

It was initially thought eight companies were impacted by the raid on payroll provider Zellis, first revealed on Monday, which exploited an unknown third-party file-sharing tool called MOVEit.

June 4

Nova Scotia government
The Nova Scotia government says it is investigating the theft of personal information stolen through a global privacy breach to a third-party file transfer system the province was using.
The province has yet to determine what information may have been taken or how many Nova Scotians could be affected by the breach to software company MoveIt's products, Cyber Security and Digital Solutions Minister Colton LeBlanc said in a Sunday news conference.
"At this time, staff are manually going through all of the files that were accessed to identify what information was stolen and who it belongs to," he said.

June 3

The University of Rochester
The University of Rochester announced it is investigating a data breach.
The U of R says the breach was caused by a software vulnerability in a product provided by a third-party file transfer company used across the campus. The university says the breach has affected both the school and about 2,500 organizations worldwide.
The university says it's working with the Federal Bureau of Investigation and data professionals to learn what was seen and how many people were affected. This potentially includes students, faculty, staff and dependents.

June 2

Harvard Pilgrim Health Care

Millions of consumers are being notified that their Social Security numbers and other highly sensitive information were compromised when hackers breached the Harvard Pilgrim Health Care computer system earlier this year. The data breach lawyers at Console & Associates, P.C. are investigating claims on behalf of Harvard Pilgrim policyholders and anyone else affected by the breach and want victims of the breach to understand their legal rights.

The sensitive personal data of millions of consumers has been compromised. Now, customers' names, Social Security numbers, addresses, phone numbers, dates of birth, health insurance account information, and protected health information may be in the hands of criminals. While there is no telling what hackers plan to do with the stolen data, hackers often use stolen information to steal consumers' identities and commit other frauds against them.

June 2

SimpleTire
At the end of May, Cybersecurity Researcher, Jeremiah Fowler, announced that he had discovered “a non-password protected database that contained over a million customer records.” They were SimpleTire customer order confirmations, which – according to Fowler – “exposed…the customer’s name, phone number, physical address and partial credit card number with expiration dates.”

June 2

Burton
Leading snowboard maker Burton Snowboards confirmed notified customers of a data breach after some of their sensitive information was "potentially" accessed or stolen during what the company described in February as a "cyber incident."

The attack was discovered by Burton on February 11 after causing a "system outage" and forcing the company to cancel online orders.

Burton advised customers who wanted to buy snowboarding gear to go to a brick-and-mortar Burton store or use its new online rental program.

June 2

Dollar Bank
Dollar Bank filed a notice of data breach with the Attorney General of Maine after learning that an unauthorized party was able to access confidential information belonging to Standard Bank customers before the two banks merged. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, addresses, Social Security numbers, dates of birth, driver’s license numbers, state ID numbers, military ID numbers, bank account numbers, routing numbers, and account types.

June 1

Space, Inc.
iSpace, Inc. filed a notice of data breach with the Attorney General of Montana after learning that an unauthorized party recently gained access to the company’s computer network where confidential consumer data was stored. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, Social Security numbers, dates of birth, diagnosis information, health insurance group/policy number, health insurance information, subscriber number, and prescription information. 

June 1

UI Community HomeCare
UI Community HomeCare, a subsidiary of University of Iowa Health System, filed a notice of data breach with the U.S. Department of Health and Human Services Office for Civil Rights after learning that confidential consumer information that had been entrusted to the company was subject to unauthorized access. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, dates of birth, addresses, phone numbers, and protected health information.

June 1

Whitman-Hanson Regional School District
The Whitman-Hanson Regional School District is warning past and present employees about a data breach.  District officials say they were subject to “an insolated ransomware attack” that occurred in July of last year.
As a result a third party was able to gain unauthorized access to past and present District employee data from on-site servers.

June 2023

May 2023

May 31

The Hillsborough County Supervisor of Elections office 

The Hillsborough County Supervisor of Elections office has sent notification letters to thousands of voters impacted by a data breach.
According to the office, a cyber criminal stole the personal information of roughly 58,000 people.
The office said it's working with federal, state, and local law enforcement to investigate the breach.
Investigators said the hacker accessed and copied files which contained personally identifiable information, including social security or driver license numbers.

May 31

Toyota

Two weeks ago, Toyota said it exposed the data of more than two million customers to the internet for a decade. Today, the automotive giant said it recently discovered the data of another 260,000 car owners spilling from its systems.
Toyota said in a statement that it identified another batch of exposed data that was “potentially accessible externally due to a misconfiguration” of its connected cloud service, which allows Toyota customers to get internet services in their vehicles, such as information about their vehicle, in-car entertainment and assistance in the event of a car accident or breakdown.
The carmaker said it learned of the misconfiguration after conducting a wider investigation of its cloud environments after admitting earlier this month that customer data was accessible by anyone from the wider internet.

May 28

ABB

Swiss electrification and automation technology giant ABB confirmed it has suffered a data breach after a ransomware attack.

ABB has more than 105,000 employees and has $29.4 billion in revenue for 2022. On May 7, 2023, the Swiss multinational company, leading electrification and automation technology provider, suffered a cyber attack that reportedly impacted its business operations.

The news of the attack was first reported by BleepingComputer, which is aware that the attack impacted the company’s Windows Active Directory, with hundreds of devices that were infected.

May 26

Suffolk University

Suffolk University filed a notice of data breach with the Attorney General of Maine after learning that a recent cybersecurity event resulted in confidential student information being accessed or obtained by an unauthorized party. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to students’ names and Social Security numbers. 

May 26

Tennessee Orthopaedic Clinics

Tennessee Orthopaedic Clinics (“TOC”) filed a notice of data breach with the U.S. Department of Health and Human Services Office for Civil Rights (“HHS-OCR”) after determining that an unauthorized party was able to access confidential patient data stored on the company’s computer network. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to patients’ names, contact information, dates of birth, diagnosis and treatment information, provider names, dates of service, cost of services, prescription information, and health insurance information. 

May 26

Sur La Table

SLT Lending SPV, Inc., the company that owns and operates Sur La Table, filed a notice of data breach with the Attorney General of Maine after confirming that an unauthorized party accessed certain files on the company’s computer network that contained confidential employee information. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to employees’ names, driver’s license numbers, state identification numbers, and medical or health information. 

May 26

Tesla

The data protection watchdog for the Netherlands said on Friday it was aware of possible Tesla data protection breaches, but it was too early for further comment.

Germany's Handelsblatt reported on Thursday that Elon Musk's Tesla (TSLA.O) had allegedly failed to adequately protect data from customers, employees and business partners, citing 100 gigabytes of confidential data leaked by a whistleblower.

May 25

Universal Health Services of Delaware, Inc

Approximately 130,000 patients in Texas—and an untold number of others nationwide—are being notified that their protected health information was compromised when hackers breached the computer system of Universal Health Services of Delaware, Inc. ("UHS") earlier this year. The data breach lawyers at Console & Associates, P.C. are investigating claims on behalf of current and former UHS patients and want customers who were affected by the breach to understand their legal rights.
The sensitive personal data of more than 130,000 patients who received care at UHS has been compromised. Now, customers' protected health information may be in the hands of criminals looking to steal patients' identities.

May 25

Franklin Templeton Investments Corporation 

Franklin Templeton Investments Corporation (“Franklin Templeton Canada”) filed a notice of data breach with the Attorney General of Maine after learning about a cybersecurity event at InvestorCOM, a third-party vendor used by Franklin Templeton Canada to deliver certain documents. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, addresses and Franklin Templeton account numbers.

May 25

Fresh Del Monte Produce, Inc.

Fresh Del Monte Produce, Inc. filed a notice of data breach with the Attorney General of Massachusetts after learning that confidential employee information was subject to unauthorized access following a cyberattack. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, Social Security numbers, driver’s license numbers, passport numbers, financial account information and protected health information. 

May 24

Sentara Healthcare 

Sentara Healthcare posted a “Data Incident Notice” on its website after learning that a data breach at R&B Corporation of Virginia, which does business under the name Credit Control Corporation, compromised confidential information belonging to Sentara patients. Based on an official filing from Credit Control Corporation (“CCC”), the incident resulted in an unauthorized party gaining access to patients’ names, addresses, Social Security numbers, account numbers, account balances, and dates of service. 

May 24

Harvard Pilgrim Health Care

Harvard Pilgrim Health Care suffered a cybersecurity breach between March 28 and April 17 that affected members, accounts, brokers, and providers, the company announced Tuesday.
As a result, the parent company, Point32Health, has launched an investigation into the incident, which affected Harvard Pilgrim Health Care commercial and Medicare Advantage Stride users.
Files taken may include personal information — including phone numbers and social security numbers — and protected health information for both current and former contracted providers, dependents, and subscribers, the company said.

May 22

Constellation Software Inc

Constellation Software Inc. filed a Notice of Data Breach with the Vermont Attorney General’s office after learning that an unauthorized party accessed confidential consumer information after gaining access to portions of the company’s computer network.

May 22

PillPack

PillPack, an online pharmacy owned by Amazon, has reported a data breach affecting more than 19,000 customers.

The cyberattack exposed users’ email addresses, prescription information and their providers’ contact details. Social Security numbers and credit card information weren’t involved. PillPack said more than 3,600 affected accounts included prescription data.

The online pharmacy said it discovered the breach on April 3, and it determined an unauthorized person used users’ email addresses and passwords to sign into their accounts between April 2 and April 6.

PillPack said an internal investigation found email addresses and passwords weren’t taken, and it’s likely the unauthorized user was able to access accounts because customers used the same log-in information for another website.

May 22

Sysco

Leading American food distributor Sysco is investigating a data breach that potentially leaked business, employee, and customer data.
On March 14, 2023, Sysco discovered that a threat actor gained access around January 14, 2023, and allegedly accessed corporate and personal information.
Although an investigation was still in progress, Sysco has begun notifying impacted individuals and has reported the incident to relevant law enforcement agencies.

May 22

DISH 

A February ransomware attack against satellite broadcast giant DISH leaked the personal information of nearly 300,000 people, according to regulatory filings made by the company last week.
DISH confirmed that it was hit with ransomware after it suffered widespread outages. The attack affected DISH’s internal communications, customer call centers, and websites.
The company told regulators in Maine last week that 296,851 people had data affected by the incident, and in breach notification letters sent out on May 18 they confirmed that personal data was involved, including driver’s license numbers.
The letters confirm that the network outage began on February 23 and affected the company’s internal servers and IT systems. They shut down their internal network, hired cybersecurity experts and notified law enforcement once they realized the severity of the situation.

May 21

Discord

Instant messaging and social media platform Discord, which is particularly popular among online gamers, disclosed a data breach last week, after their third party support agent got hacked.

May 20

Peachtree Orthopedics

An Atlanta clinic alerts patients to at least its third incident involving patient data in seven years. Karakurt threat actors recently added Peachtree Orthopedics in Atlanta (Peachtree Orthopaedic Clinic, P.A.) to their leak site. As often seems to be the case with Karakurt listings, the date on Karakurt’s post is somewhat confusing, and they make inconsistent claims about how much data they stole. 

May 19

Luxottica

Luxottica has confirmed one of its partners suffered a data breach in 2021 that exposed the personal information of 70 million customers after a database was posted this month for free on hacking forums.
Luxottica is the world’s largest eyewear company, glasses, and prescription frames maker, and the owner of popular brands like Ray-Ban, Oakley, Chanel, Prada, Versace, Dolce and Gabbana, Burberry, Giorgio Armani, Michael Kors, and many other. The company also operates Eyemed, a vision insurance company in the US.

In November 2022, a member of the now-defunct “Breached” hacker forum attempted to sell what he claimed to be a 2021 database containing 300 million records of personal information related to Luxottica customers in the United States and Canada.

.

May 16

Brightly Software

Brightly Software, Inc. filed a notice of data breach with the Office of the Maine Attorney General after learning that an unauthorized party gained access to confidential account holder information stored in the company’s SchoolDude user database. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, email addresses, account passwords, phone numbers and school district names.

May 16

Fotra

The U.S. Department of Health and Human Services (HHS) recently announced the discovery of a data breach involving cybersecurity company Fortra, which may have affected more than four million people worldwide. This attack specifically targeted medical data.
Affected organizations include Hitachi Energy, Saks Fifth Avenue, Procter & Gamble, NationBenefits, and many more organizations across the United States and world. The exact number of Michigan residents who may be affected remains unknown.

May 15

PharMerica

National pharmacy network PharMerica last week started sending out notification letters to more than 5.8 million individuals to disclose a data breach that occurred in March.

Owned by BrightSpring Health, a provider of home and community-based health services, PharMerica operates over 2,500 facilities across the US and offers more than 3,100 pharmacy and healthcare programs.

On Friday, PharMerica informed the Maine Attorney General’s Office that the personal information of more than 5.8 million individuals was compromised after an unauthorized party accessed its computer systems in March.

The data breach, the company says in notification letters sent to the impacted individuals, occurred between March 12 and March 13.

Personal information compromised during the incident includes names, addresses, birth dates, Social Security numbers, health insurance, and medication information.

May 15

Uintah Basin Healthcare
Uintah Basin Healthcare (UBH) recently notified 103,974 individuals of a healthcare data breach that potentially compromised the protected health information of patients. UBH first discovered suspicious network activity on November 7, 2022 and took immediate steps to secure its systems.

However, it was not until April 7, 2023 that UBH learned that patient data may have been accessed or acquired during the incident. Specifically, the breach impacted patients who received care at UBH between March 2012 and November 2022.

May 15

Toyota
A data breach affecting the world’s largest car manufacturer, Toyota, has led to the data of over 2 million customers over 10 years being revealed.
The Japanese car company revealed that the data breach led to the car-location information of 2.15 million customers being revealed, spanning almost 10 years, starting 6 November 2013 to 17 April 2023.
According to a release on Toyota’s website, translated by Google, the incident occurred on the car company’s cloud environment due to a misconfigured database.
“It was discovered that part of the data that Toyota Motor Corporation entrusted to Toyota Connected Corporation (hereinafter referred to as TC) to manage had been made public due to misconfiguration of the cloud environment,” the release said, translated from Japanese.
The breach led to the data of customers who had used Toyota’s in-car smart service T-Connect, which helps with voice assistance, customer service support, on-road emergency help and more.

May 13

Capita
Business process outsourcing firm Capita is warning customers to assume that their data was stolen in a cyberattack that affected its systems in early April.
Almost six weeks after the attack was disclosed, Capita warned Universities Superannuation Scheme (USS), the largest private pension scheme in the UK, to react to the incident under the assumption that their members' data was stolen.
USS manages the pensions of over 500,000 members from UK universities and Higher Education institutions (and their families), investing £82.2 billion (over $102 billion) on their behalf.

May 12

U.S. Transportation Department (USDOT)
The personal information of 237,000 current and former federal government employees has been exposed in a data breach at the U.S. Transportation Department (USDOT).
The breach hit systems for processing TRANServe transit benefits that reimburse government employees for some commuting costs. It was not clear if any of the personal information had been used for criminal purposes.

May 12

Discord  
Discord is notifying users of a data breach that occurred after the account of a third-party support agent was compromised.
The security breach exposed the agent's support ticket queue, which contained user email addresses, messages exchanged with Discord support, and any attachments sent as part of the tickets.
Discord says it immediately addressed the breached support account by disabling it once the incident was discovered. 

May 11

New Mexico Department of Health
The New Mexico Department of Health (DOH) reported a breach to HHS that impacted 49,000 individuals. The breach occurred when DOH discovered that a spreadsheet containing information about individual deaths in New Mexico had been sent to a journalist.

The journalist had requested information under the Inspection of Public Records Act, but the information that was sent included protected health information (PHI). Specifically, the spreadsheet contained PHI regarding every death in New Mexico from January 2020 to December 2021.

Notably, the information did not include names, birthdates, addresses, or contact information. DOH encouraged families to remain vigilant against any suspicious activity in the name of a recently deceased person in their family

May 10

University Urology 
University Urology in New York City has started notifying 56,816 individuals that unauthorized individuals gained access to some of its systems and potentially obtained their personal and health information. Suspicious activity was detected within its computer systems on February 1, 2023, and third-party cybersecurity experts were engaged to conduct a forensic analysis of the incident to determine the nature and scope of the attack. 

May 10

RC Document Solutions, Inc
ARC Document Solutions, Inc. (“ARC”) filed a notice of data breach with the Montana Attorney General after confirming that an unauthorized party was able to access files stored on the company’s computer network that contained confidential consumer information. While ARC has yet to publicly disclose the specific data types that were leaked as a result of the cyberattack, we know that the breach involved sensitive consumer information.

May 9

ASAS Health, LLC
ASAS Health, LLC (“ASAS”) filed a notice of data breach with the Attorney General of Maine after determining that a security incident earlier this year compromised the confidential information of over 25,000 individuals. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, dates of birth, Social Security numbers, addresses, driver’s license numbers, protected health information and financial account information.

May 9

NationsBenefits
A data breach is affecting nearly 20,000 Mainers.
The company involved is a contractor for Aetna insurance.
The company NationsBenefits, which is a third-party vendor of Aetna insurance, says hackers stole personal data from some members back in January.
NationsBenefits says a software it used to exchange personal heath files with health insurance companies, including Aetna, is what was targeted.

May 9

NextGen Healthcare 

NextGen Healthcare, which makes and sells software for medical and other healthcare providers, is the target of a federal lawsuit charging that it was negligent in defending itself against a cyberattack that permitted hackers access to information about more than a million consumers.

The cyberattack exposed data of at least 1,049,375 individuals, according to the suit, filed by attorneys for Cory Benn, a New York resident.

May 9

Sysco 
Sysco, a leading global food distribution company, has confirmed that its network was breached earlier this year by attackers who stole sensitive information, including business, customer, and employee data.
In an internal memo sent to employees on May 3rd and seen by BleepingComputer, the company revealed that customer and supplier data in the U.S. and Canada, as well as personal information belonging to U.S. employees, may have been impacted in the incident.

May 8

Medicalodges, Inc
Medicalodges, Inc. reportedly experienced a cybersecurity event possibly resulting in a data breach affecting patient information. While the company has not yet filed official notice of the breach, secondary reports suggest that the incident resulted in an unauthorized party gaining access to consumers’ confidential consumer information, including Social Security numbers.

May 5

Bluefield University 
BleepingComputer reports the Virginia-based Bluefield University had its RamAlert emergency broadcast system taken over by the AvosLocker ransomware operation, also known as Avos, after disclosing that it had been impacted by a cyberattack. Bluefield University students and staff were notified on April 30 regarding a cyberattack on the University's IT systems that resulted in the postponement of all examinations.

May 5

McPherson Hospital 
McPherson (Kan.) Hospital suffered a data breach caused by hacking that compromised the information of 19,020 patients.

The ransomware was first discovered in July 2022, and McPherson concluded the investigation March 15. The hospital has no evidence of misuse of personal information, according to a May 4 notice of breach with the Maine attorney general.

May 5

Our Sunday Visitor, Inc
An Indiana-based religious magazine has announced a data breach may have leaked sensitive subscriber information, including Social Security numbers and bank info.
‘Our Sunday Visitor’, Inc., a popular Catholic magazine and publishing company headquartered in Huntington, released a statement Friday regarding a data breach they said occurred in March and “may affect the privacy of some personal information maintained by OSV.”

May 5

New York’s Metropolitan Opera
New York’s Metropolitan Opera is notifying over 45,000 people of a data breach. In a letter sent to patrons who bought items online the institution said data stolen includes names, financial account or credit card numbers, card security codes and Met account passwords or PIN numbers. The Met believes that data was stolen between September 30th and December 6th.

May 2

Mackenzie InvestmentsCarvin Software, LLC
Carvin Software, LLC filed a notice of data breach with the Maine Attorney General after learning that an unauthorized party was able to copy files containing confidential consumer information from the company’s computer network. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, Social Security numbers, and financial account information.

May 2

ChatGPT/ Open AI
OpenAI, which developed the chatbot, confirmed a data breach in the system that was caused by a vulnerability in the code’s open-source library, according to Security Week. The breach took the service offline until it was fixed.

May 1

T-Mobile
T-Mobile disclosed the second data breach of 2023 after discovering that attackers had access to the personal information of hundreds of customers for more than a month, starting late February 2023.

May 1

TIC Hosting Solution
TIC Hosting Solutions in Romania had a recent data breach affecting customer data. The tipster provided an .SQL database called “Galactic” as an example of data being leaked. The users table included usernames and email addresses, including one for “tichhosting.”

May 1

Americold
Americold, a leading cold storage and logistics company, has been facing IT issues since its network was breached on Tuesday night.
The company said it contained the attack and is now investigating the incident that also affected operations per customer and employee reports.

May 1

The Diocese of Las Vegas
The Diocese of Las Vegas was the recent victim of a data breach.
The Diocese says its IT systems were impacted on March 12.
After notifying the police, the Diocese worked with cybersecurity experts to assess, contain and fix the problem.
The information of parishioners, volunteers, donors, and stakeholders may have been compromised.

May 1

The American Bar Association (ABA) 
The American Bar Association (ABA) suffered a massive data breach that leaked the user credentials of more than a million members. ABA notified affected individuals that it detected unauthorized third-party access on March 17, 2023.

The legal professional body initiated an incident response plan and engaged external cybersecurity experts to assist with the investigation. On March 23, 2023, the investigation determined that the threat actor gained access to a decommissioned server around March 06, 2023, and obtained certain client information.

May 1

United Healthcare
United HealthCare made customers aware of a data breach on Friday, which temporarily allowed access to personal information for those enrolled in the company's healthcare plans. 
According to a statement, "suspicious activity" was noticed on the UHC mobile application "that may have led to the disclosure of member information."
The company says that the breach happened between February 19 and February 25, and it was determined on April 10 that some member information was impacted. 
They believe that information including members' first and last names, health insurance member identification numbers, dates of birth, addresses, dates of service, provider names, claim information and group name and number may have been available. 

April 2023

April 28

Kodi
Streaming platform Kodi confirmed that it suffered a data breach after the account of a “trusted but inactive” member of its user forum admin team was twice-used to access its web-based MyBB admin console.

April 28

Oklahoma City University School of Law
Oklahoma City University School of Law was negligent with the storage of its students’ data, leading to a breach that may have compromised thousands of peoples’ Social Security, driver license and passport numbers, a new class action lawsuit alleges.

April 28

Santa Clara

California-based Santa Clara Health Plan (SCHP) reported a breach tied to a known vulnerability in Fortra’s GoAnywhere managed file transfer (MFT) solution that impacted 276,993 individuals. As previously reported, threat actors have been leveraging the vulnerability to gain access to sensitive data.
Community Health Systems and Blue Shield of California are just a few organizations that have been impacted by the Fortra hack.
In the case of Santa Clara Health Plan, the breach impacted one of its vendors, NationsBenefits, which provides supplemental benefits administrations services to healthcare plans, including SCHP. SCHP’s website notice directs patients to the NationsBenefits website, which contains details of the breach.

April 24

Livingston International, Inc.
Livingston International, Inc. (“Livingston”) filed a notice of data breach with the Texas Attorney General determining that confidential consumer information that had been entrusted to the company was subject to unauthorized access. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, addresses, Social Security numbers, driver’s license numbers, and financial account information. 

April 24

Robeson Health Care Corporation

Robeson Health Care Corporation filed a notice of data breach with the Attorney General of Maine after learning that confidential patient data was accessed by an unauthorized party following a malware attack. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, addresses, Social Security numbers, dates of birth and protected health information.

April 24

Albertsons Companies, Inc.

Albertsons Companies, Inc. filed a notice of data breach with the Attorney General of Montana after learning that confidential information belonging to certain individuals was accessed by an unauthorized party following a malware attack. While the specific data types leaked as a result of the cyberattack have not yet been publicly confirmed, Albertsons began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.

April 24

Southeastern Louisiana University
In February 2023, reports began to surface that Southeastern Louisiana University (“Southeastern”) experienced a cybersecurity incident following comments made by the administration. At the time, however, Southeastern did not disclose any breach, which left students, faculty and the public in general wondering whether anything happened. However, since then, a prominent ransomware gang added Southeastern to the group’s list of victims, adding to the concerns.

April 24

Arnold Clark Automobiles Ltd.

Thousands of customers of U.K.-based car sales giant Arnold Clark Automobiles Ltd. have launched multi-million-pound group claims action against the company for its failure to protect their personal information during a data breach that occurred on Dec. 23, 2022, The Sunday Post reported. The company had earlier insisted that the information was safe, but emailed customers in late January informing them about the hack and loss of information.

April 23

UWEC

UW-Eau Claire’s event ticketing vendor experienced a security breach from Feb. 14 to 28, potentially affecting students, faculty and community members who bought tickets to attend university events.

April 21

Consumer Financial Protection Bureau 

Nearly 256,000 consumer accounts at the Consumer Financial Protection Bureau had their confidential information exposed in a data breach. Among the data compromised are two spreadsheets including the names and account numbers belonging to a financial institution, as well as documents with personal details from seven different financial entities' customers.

April 21

American Bar Association

The American Bar Association (ABA) has suffered a data breach after hackers compromised its network and gained access to older credentials for 1,466,000 members.

April 20

Philippine National Police

An unprotected database containing more than a million identity documents and private records of Philippine National Police personnel and applicants was exposed online for at least six weeks before access to the data was restricted in March, according to a report by a cybersecurity tracker.

April 19

CFPB

The CFPB said an employee forwarded the personal information of more than a quarter-million consumers to a personal email account, an incident that the bureau described as a “major” breach.
The employee, who was fired when the data breach came to light, sent spreadsheets with names and transaction-specific account numbers related to those 256,000 consumer accounts at a single institution, according to the bureau.

April 18

Webster Bank 

Thousands of Webster Bank customers may now have their personal information for sale on the internet. A data breach of a third party vendor, Guardian Analytics, exposed bank customers’ information.
The Connecticut Attorney General’s office says the data breach impacted 153,754 people in Connecticut. Of that group, 117,278 had their name and account number exposed. 36,476 people had their name, account number, and social security number exposed.

April 18

La Clinica de La Raza

La Clinica de La Raza (“La Clinic”) filed a notice of data breach with the U.S. Department of Health and Human Services Office for Civil Rights (“HHS-OCR”) after learning that certain employee email accounts containing confidential patient information were accessed by an unauthorized party over the course of a two-week period. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, addresses, Social Security numbers, dates of birth, financial account information, payment card information, online credentials, medical treatment information, and health insurance information. 

April 18

University of the People

The University of the People (“UoPeople”) filed a notice of data breach with the Attorney General of Maine after learning that an unauthorized party was able to access confidential information stored on the school’s SharePoint platform. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names and Social Security numbers. 

April 17

CommonSpirit health-care system

According to an April 6 CommonSpirit update, these Kentucky facilities were included in the ransomware event: Flaget Memorial Hospital, Bardstown; Saint Joseph Hospital, Lexington, Nicholasville; Saint Joseph Health Community Pharmacy, Lexington; Saint Joseph Berea; Saint Joseph East, Lexington; Saint Joseph London; Saint Joseph Mount Sterling; Saint Joseph Mount Sterling Outpatient Rehab; Saint Joseph Mount Sterling Outpatient Rehab, Flemingsburg; Continuing Care Hospital, Lexington; and CHI Saint Joseph Medical Groups in Central and Eastern Kentucky, as well as Jewish Hospital in Louisville and Saint Joseph Martin in Floyd County, which were formerly part of CHI.

April 17

CommScope

The North Carolina–based company, which designs and manufactures network infrastructure products for a range of customers, including hospitals, schools and U.S. federal agencies, was listed on the dark web leak site of the Vice Society ransomware gang.
TechCrunch reviewed portions of the data, which include internal documents, invoices and technical drawings. The trove also contains personal data of thousands of CommScope employees, including full names, postal addresses, email addresses, personal numbers, Social Security numbers and bank account information. Another folder among the leaked data includes scans of employee passports and visa documentation.

April 17

Iowa Medicaid
Approximately 20,800 members in Iowa's Medicaid program were affected in a data breach of a third-party vendor hired by the state to help manage the state health insurance program for Iowans who are poor or disabled.
The breach, which took place between June 30 and July 5 of 2022, compromised individuals' personal and health information, such as their full names or details of their enrollment.

April 14

Harding, Shymanski & Company, PSC (“HSC”) 

HSC hfiled a notice of data breach with the Montana Attorney General after learning that an employee’s credentials were used to access customer 2021 tax returns, leading to fraudulent 2022 tax returns being filed on behalf of certain patients. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, dates of birth, Social Security numbers, driver’s license numbers, bank account numbers, routing numbers, and investment or brokerage account information.

April 14

Santa Clara Family Health Plan (“SCFHP”) 

SCFHP filed a notice of data breach with the U.S. Department of Health and Human Services Office for Civil Rights after learning that confidential consumer information in the company’s possession was subject to unauthorized access. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ protected health information, which may include medical records, Social Security numbers, past and current medications and health insurance information. 

April 12

Kodi

Open source home theater software developer Kodi this week announced that it has started rebuilding its user forum following a February 2023 data breach.
The incident was disclosed last week, after a threat actor started advertising on underground forums a dump of Kodi’s user forum (MyBB) software. The hacker offered the data of 400,000 Kodi users, including on the now-defunct BreachForums cybercrime website. 
The attackers compromised the account of an inactive administrator and accessed the web-based MyBB admin console on February 16 and 21, creating database backups and downloading existing nightly full backups.

April 12

Iowa Department of Health and Human Services (HHS)

The Iowa Department of Health and Human Services (HHS) announced on Tuesday that a data breach at a third-party contractor affected around 20,800 Iowa Medicaid members. Independent Living Systems (ILS), a state-contracted company responsible for performing service assessments, detected the breach, which is believed to have occurred from June 30 to July 5, 2022. The breach led to the release of personal identifying information, including full names, Medicaid details, and other sensitive data. 

April 12

Hyundai

Hyundai has disclosed a data breach impacting Italian and French car owners and those who booked a test drive, warning that hackers gained access to personal data.
Hyundai is a multinational automotive manufacturer selling over half a million vehicles per year in Europe, with a market share of roughly 3% in France and Italy.

April 11

YUM Brands

KFC, Pizza Hut, and Taco Bell parent company Yum Brands has confirmed that personally identifiable information (PII) was compromised in a January 2023 ransomware attack.
Initially disclosed on January 18, the cyberattack resulted in Yum taking systems offline to contain the incident and closing roughly 300 restaurants in the UK for one day.
At the time, the company said that only corporate data was stolen during the attack, but a filing with the Maine Attorney General’s Office reveals that PII was compromised as well.
In a notification letter sent to potentially impacted individuals, Yum states that personal information such as names, driver’s license numbers, ID numbers, and other types of personal identifiers was stolen during the ransomware attack.

April 11

Webster Bank

Webster Bank filed a notice of data breach with the Maine Attorney General after learning of a third-party data breach at Guardian Analytics, Inc., one of Webster Bank’s vendors. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, Social Security numbers and financial account information. 

April 10

Rochester Public Schools

Rochester Public Schools confirmed a data breach that forced them to cancel classes on Monday, while staff devised a plan to teach without most - if not all - network access.

“Earlier today, we confirmed that an outside actor has gained access to some school district data. Please know, as of now, we have no evidence that any data associated with this event has been used for financial fraud or identity theft. As our investigation continues, as a best practice, you should always remain vigilant in reviewing your financial account statements and credit reports for fraudulent or irregular activity on a regular basis. We will be in contact with affected individuals whose data was accessed as soon as we are able.”

April 10

Elmbrook School District

A breach that exposed the names and Social Security numbers of current and former Elmbrook School District employees continued even after the district was aware of the problem.
The district learned its system had been compromised on Aug. 23, 2022, according to Elmbrook School Chief Strategy Officer Chris Thompson. Files were removed from Aug. 23-27, 2022, an investigation revealed.

April 7

Brightline, Inc

Brightline, Inc. filed a notice of data breach with the Maine Attorney General’s Office after the company following a third-party data breach at Fortra, one of the company’s vendors. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, addresses, member IDs, dates of birth, phone numbers, employers’ names and group ID numbers, and coverage start/end dates.

April 7

US Government

Pentagon investigating leak of classified documents about military plans in Ukraine
The Pentagon is investigating the leak of classified documents detailing U.S. and NATO military support plans for Ukraine. CBS News national security correspondent David Martin explains that the security breach could involve more than just the war in Ukraine.

April 7

MSi

Following reports of a ransomware attack, Taiwanese PC vendor MSI (short for Micro-Star International) confirmed today that its network was breached in a cyberattack.

Earlier this week, the Money Message ransomware gang claimed to infiltrate some of MSI's systems and stolen files that will be leaked online next week if the company refuses to pay a $4 million ransom.

April 7

Tallahassee Memorial HealthCare

Tallahassee Memorial HealthCare (TMH) provided a healthcare data breach notice to HHS following a February breach. The incident impacted 20,376 individuals in total. As previously reported, TMH began responding to an IT security issue in early February by taking its IT systems offline as a precaution. TMH diverted some EMS patients and rescheduled all non-emergency surgical and outpatient procedures as it continued to deal with the incident.

In a March 31 update, TMH determined that an unauthorized party had accessed its network and obtained certain files between January 26 and February 2, 2023.

April 7

GoAnywhere MFT
Hackers have released 16,000 Tasmanian education department documents on the dark web including schoolchildren’s personal information, the state government has confirmed.
The state’s science and technology minister, Madeleine Ogilvie, on Friday said thousands of financial statements and invoices containing names and addresses of school students and their parents had been released after the third-party file transfer service GoAnywhere MFT
was hacked.

April 6

Z2U
At least 600,000 records of stolen customer data and accounts have been left exposed for an undetermined length of time on a Chinese site called Z2U, which operates as a game trading market, reports SiliconANGLE. The database contained different types of illegally acquired records such as personal emails and passwords, user identifications, login details, bank account numbers, bank transactions, software license keys, credit card images and identification documents such as passports. Some of the compromised information included customer accounts on the streaming sites HBO, Disney+, and Netflix and social media sites Instagram and Facebook.

April 6

UH Maui
UH Maui College is reporting a third party data breach on the University's computer network that occurred in mid-February.
UH Information Technology Services officials reportedly took immediate action as soon as the incident was discovered.
The breach was isolated to the UH Maui College network, which had been protected by a firewall and other safeguards before the event. This event did not impact other networks in the UH System.

April 6

Nebu
A number of Dutch market research firms using a piece of industry software called Nebu have been breached, and the fallout appears to include about two million Netherlands residents. The data breach seems to mostly consist of contact information, but also includes income data, and in at least some small number of cases it is possible that more sensitive personal information was included as well.
The types of information leaked in the data breach vary quite a bit, given that a number of different organizations in different verticals were compromised. In some cases, the attackers got only basic contact information included with a survey, while in at least one other they may have taken sensitive information from a pension fund.

April 28

Kodi
Streaming platform Kodi confirmed that it suffered a data breach after the account of a “trusted but inactive” member of its user forum admin team was twice-used to access its web-based MyBB admin console.

April 5

Oakland, CA
Oakland city officials have confirmed this week that significantly more data has been released on the dark web by the ransomware group that attacked the city in February.
The Play ransomware group, which took credit for launching the crippling attack, published 600 gigabytes of city data after releasing an initial batch of 10GB last month.
On Tuesday, the city confirmed the second leak, writing in a statement that it was working with specialists and law enforcement to investigate the files.
The city also acknowledged the breadth of data published in the first batch — which included troves of documents stolen from the city police department and other offices within the city government. Even the personal information of Mayor Sheng Thao was leaked.

April 28

Kodi
Streaming platform Kodi confirmed that it suffered a data breach after the account of a “trusted but inactive” member of its user forum admin team was twice-used to access its web-based MyBB admin console.

April 4

NewYork-Presbyterian Hospital (NYP)

NYP is the latest healthcare organization to report a data breach stemming from its use of tracking and analytics tools. As previously reported, Meta, Google, and other tech companies have been facing backlash over the use of tracking pixels on healthcare websites.

In October 2022, Advocate Aurora Health notified 3 million individuals of a breach stemming from the use of tracking pixels, and Novant Health notified 1.3 million individuals of potential unauthorized data disclosures resulting from its use of pixels.

In the case of NewYork-Presbyterian Hospital, more than 54,000 individuals were recently notified that the use of third-party tracking and analytics tools on its public-facing website may have resulted in the exposure of patient information.

April 3

Western Digital 
Data storage giant Western Digital has confirmed that hackers exfiltrated data from its systems during a “network security incident” last week.
The California-based company said on Monday that an unauthorized third party gained access to “a number” of its internal systems on March 26. Western Digital hasn’t confirmed the nature of the incident or revealed how it was compromised, but its statement suggests the incident may be linked to ransomware.
“Based on the investigation to date, the company believes the unauthorized party obtained certain data from its systems and is working to understand the nature and scope of that data,” Western Digital said.

April 1

TMX
TMX Finance and its subsidiaries TitleMax, TitleBucks, and InstaLoan have collectively disclosed a data breach that exposed the personal data of 4,822,580 customers.
TitleMax is a lending business operating 1,100 stores across the U.S., TitleBucks is a car title loans service, and InstaLoan is a fast-approval personal loan service for those with bad credit.
In a data breach notification letter sent yesterday to impacted individuals, the Canadian finance giant informs that hackers breached its systems in early December 2022 but did not detect the breach until February 13th, 2023.

March 2023

March 29

US Wellness

US Wellness filed a notice of data breach with the U.S. Department of Health and Human Services Office for Civil Rights after learning that a data security incident at one of the company’s vendors compromised certain customers’ protected health information. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, addresses, dates of birth, member ID numbers, and other protected health information.

March 29

US Wellness

US Wellness filed a notice of data breach with the U.S. Department of Health and Human Services Office for Civil Rights after learning that a data security incident at one of the company’s vendors compromised certain customers’ protected health information. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, addresses, dates of birth, member ID numbers, and other protected health information.

March 29

P&G
THE WHAT? Procter & Gamble has confirmed that it is one of the companies affected by a data breach of the GoAnywhere MFT file-sharing platform. As part of this incident, an unauthorized third party obtained some information about P&G employees.
THE DETAILS The number of employees concerned has not been disclosed. The platform was compromised in early February and the attackers were unable to access financial or social security data, P&G said, and, at this time, there is no indication that customer data was compromised.
THE WHY? The breach is said to have been part of a sustained attack by hackers Clop, who claim to have breached secure servers for more than 130 organizations. Their attempt to extort the victims has failed as more and more companies have publicly acknowledged the breach.

March 28

Community Health Systems (CHS) 

CHS said they were notified by Fortra, LLC, a contracted cyber security firm, that an unauthorized party accessed personal information on their system between January 28 and January 30 of 2023.
Fortra LLC provides secure file transfer software called GoAnywhere to CHSPSC LLC, a professional service company that provides services to hospitals and clinics affiliated with Community Health Systems.

March 28

Meriton 
One of Australia's biggest property giants has been hit by cybercriminals who may have made off with highly sensitive personal data including birth certificates and bank details, as well as information about salaries and disciplinary proceedings.
Guests and staff members employed by Meriton were affected by the data breach when hackers struck the luxury developer on January 14 this year.
The incident compelled the company to warn approximately 1,889 people to take steps to protect themselves.

March 27

Florida Medical Clinic (“FMC”)

Florida Medical Clinic (“FMC”) filed a notice of data breach with the U.S. Department of Health and Human Services Office for Civil Rights (“HHS-OCR”) after learning that unauthorized actors gained access to the FMC computer system following a ransomware attack. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, Social Security numbers, medical information, phone numbers, email addresses, dates of birth, and addresses.

March 27

Crown Resorts 

Crown Resorts has confirmed it is investigating a potential global data breach after it was contacted by a hacker group that claims to have obtained company files.
The gaming and entertainment group said it was recently contacted by a ransomware group claiming to have illegally obtained a limited number of Crown files through the breach of third-party file transfer service GoAnywhere.

March 24

ChatGPT

OpenAI's ChatGPT has suffered its first major personal data breach.
The breach came during a March 20 outage and exposed payment-related and other personal information of 1.2% of the ChatGPT Plus subscribers who were active during a specific nine-hour window, according to a blog post by OpenAI Friday, March 24.

March 20

Ferrari 

Italian sports car maker Ferrari said on Monday that a threat actor had demanded a ransom related to customer contact details that may have been exposed in a ransomware attack.
The company did not say when the incident occurred, but it could be related to reports of a ransomware attack back in October 2022, when the “RansomEXX” group claimed it had stolen and leaked 7 GB of data from Ferrari—which Ferrari denied at the time.

March 19

QIMR Berghofer

QIMR Berghofer has been hit by an unpublicised data breach, with the personal details of more than 1,000 people feared to have been accessed by hackers.

March 18

Hitachi Energy

Hitachi Energy confirmed it suffered a data breach after the Clop ransomware gang stole data using a GoAnyway zero-day vulnerability.

March 17

NBA

The NBA (National Basketball Association) is notifying fans of a data breach after some of their personal information, "held" by a third-party newsletter service, was stolen.

March 16

Latitude Financial Services 

Latitude Financial Services (Latitude) has disclosed a data breach after suffering a cyberattack, causing the company to shut down internal and customer-facing systems.
Latitude is one of Australia's largest personal loans provider and the country's largest non-bank consumer credit lender.

A subsidiary of Deutsche Bank and KKE, the firm provides a broad spectrum of consumer finance services, including unsecured personal loans, credit cards, car loans, personal insurance, and interest-free retail finance.

March 15

IPH Ltd

IPH Ltd (IPH.AX), an intellectual property (IP) services provider, on Thursday reported a data breach in a portion of its IT systems, becoming the latest Australian company to be targeted by hackers and sending its shares tumbling 12%.
IPH said that on Monday it detected unauthorised access to document management systems, which include administrative documents, and some client documents and correspondence, at its head office and two member firms, Spruson & Ferguson (Australia) and Griffith Hack.

March 14

Trinity Health Corporation 

Trinity Health Corporation (“Trinity”) filed a notice of data breach with the Massachusetts Attorney General after learning that a data security incident resulted in the confidential information of tens of thousands of patients being leaked. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, addresses, phone numbers, email addresses, prescription information, medical record numbers, patient ID numbers, dates of birth and other protected health information.

March 13

The Arizona Department of Economic Security

The Arizona Department of Economic Security says the personal information of some members may have been exposed. DES says it discovered the breach January 19.
The department says a former employee in the Division of Developmental Disabilities had records that contained protected health information such as names, addresses, phone numbers, dates of birth, and Arizona Health Care Cost Containment System (AHCCCS) identification numbers.

March 13

Housing Authority of the City of Los Angeles (HACLA)

The Housing Authority of the City of Los Angeles (HACLA) is warning of a "data security event" after the LockBit ransomware gang targeted the organization and leaked data stolen in the attack.
HACLA is a state-chartered agency that provides affordable housing to low-income individuals and families in Los Angeles, California.
According to the data breach notice, on December 31, 2022, HACLA discovered that computer systems on its network had been encrypted, forcing the agency's IT team to shut down all servers and launch an investigation.

March 13

Zoll Medical

Medical technology developer Zoll Medical is notifying roughly one million individuals that their personal information might have been compromised in a recent data breach.

According to Zoll, the compromised information included names, addresses, birth dates, and Social Security numbers.

March 29

US Wellness

US Wellness filed a notice of data breach with the U.S. Department of Health and Human Services Office for Civil Rights after learning that a data security incident at one of the company’s vendors compromised certain customers’ protected health information. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, addresses, dates of birth, member ID numbers, and other protected health information.

March 07

ACER
Taiwanese computer giant Acer confirmed that it suffered a data breach after threat actors hacked a server hosting private documents used by repair technicians.
The confirmation of a data breach comes after a threat actor began selling on a popular hacking forum what they claim is 160GB of data stolen from Acer in mid-February 2023.

March 06

Flutterwave

Last month, Flutterwave, Africa’s largest startup by private valuation, was involved in a hack that resulted in more than ₦2.9 billion (~$4.2 million) missing from its accounts, according to local tech publication Techpoint Africa.

According to the documents seen by the publication and reviewed by TechCrunch, unknown actors transferred the funds across 28 accounts in 63 transactions in early February. Police investigations are ongoing as Flutterwave, via legal counsel and law enforcement parties, has filed a motion and seeks to freeze accounts across 27 financial institutions that interacted with the missing funds, Techpoint Africa reported. 

March 05

Rio Tinto

Mining giant Rio Tinto has been caught up in a concerning technology breach that has exposed the private communications of some of its employees.

March 04

Tennessee State University & Southeastern Louisiana

a public historically black land-grant university in Nashville — notified its more than 8,000 students on Wednesday that its IT systems were brought down by a ransomware attack.

March 04

Chick-Fil-A

On Friday morning, Chick-Fil-A released a statement about a data breach on their mobile app.
In their statement, the restaurant said the data breach concerned the personal information of app users. The company also provided details about the breach, measures that were taken as a response, and a list of resources to help customers.
After the investigation, Chick-fil-A learned that a cyber attack had been launched on their website and app between December 2022 and February of this year. The attack was launched using email addresses and passwords from a third-party source.

March 02

The Sandbox

Blockchain-based game The Sandbox said a phishing email has been sent to some users as a result of a security breach.
An unauthorized third party gained access to an employee's computer and used it to email users, The Sandbox said in a blog post Thursday. The email, entitled "The Sandbox Game (PURELAND) Access," included links to malware that could be used to gain access to the personal information of those who click on them. The firm didn't indicate how many people had received the email.

March 02

WH Smith

High Street retailer WH Smith has been hit by a cyber-attack, with hackers accessing some of its workers' data.
Data that may have been breached includes names, addresses, National Insurance numbers and dates of birth of the firm's current and former UK staff.

March 02

GunAuction.com

Hackers breached a website that allows people to buy and sell guns, exposing the identities of its users, TechCrunch has learned.
The breach exposed reams of sensitive personal data for more than 550,000 users, including customers’ full names, home addresses, email addresses, plaintext passwords and telephone numbers. Also, the stolen data allegedly makes it possible to link a particular person with the sale or purchase of a specific weapon.

March 02

Hatch Bank 

Fintech banking platform Hatch Bank has reported a data breach after hackers stole the personal information of almost 140,000 customers from the company's Fortra GoAnywhere MFT secure file-sharing platform.

As reported by TechCrunch, data breach notifications sent to impacted customers and filed with Attorney General's offices warned that hackers exploited a vulnerability in the GoAnywhere MFT software to steal the data of 139,493 customers.

March 01

Crystal Bay Casino

Crystal Bay Casino filed notice of a data breach with the attorney general offices in Maine, Montana and Massachusetts after learning that an unauthorized party accessed files on the company’s computer network containing confidential consumer information. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, Social Security numbers and driver’s license numbers. 

February 2023

February 27

Middlebury College

Middlebury College is issuing a warning to people who recently purchased tickets to college events online during the month of February that their personal information may have been stolen.
The college said the issue involves a third-party vendor for campus event ticketing, AudienceView, which reported last week that it was recently impacted by a payment card data security breach.

February 27

Middlebury College

Middlebury College is issuing a warning to people who recently purchased tickets to college events online during the month of February that their personal information may have been stolen.
The college said the issue involves a third-party vendor for campus event ticketing, AudienceView, which reported last week that it was recently impacted by a payment card data security breach.

February 27

U.S. Marshals Service

The U.S. Marshals Service reported a cyber intrusion that put potentially sensitive law enforcement information at risk, the agency acknowledged Monday.
Agency spokesman Drew Wade said the ransomware incident targeting a "stand-alone" system was discovered Feb. 17, prompting officials to "disconnect" its operation while launching an investigation into what authorities described as a "major incident."
"The affected system contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees," Wade said.

February 27

News Corp

Media giant News Corp has disclosed new details about a data breach discovered last year and attributed to a state-sponsored threat actor.
Employees of News Corp are being sent breach notification letters this week following a January 2022 breach that the company believes the Chinese government was behind. 
On Wednesday, News Corp submitted documents to Massachusetts confirming the breach. A News Corp spokesperson would not tell The Record how many people were sent letters but at least one person in Massachusetts was sent a copy.  

February 27

Stanford University

Stanford University has announced unauthorized access to Economics Ph.D. program admission files was obtained through a misconfiguration in the file folder's settings, said Stanford University, which noted that breach notifications have already been sent to 897 individuals affected by the incident.

February 24

Rancho Mesquite Casino

Popular Australian electronics retailer The Good Guys has revealed some of its customers' personal A hacker was able to access the sensitive information involving Rancho Mesquite Casino over several days in November 2022, documents said. Information accessed included full names and Social Security numbers.

February 24